<p>An XML External Entity or XSLT External Entity (XXE) vulnerability can occur when a <code>javax.xml.transform.Transformer</code> is created without
enabling "Secure Processing" or when one is created without disabling resolving of both external DTDs and DTD entities. If that external data is being
controlled by an attacker it may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the
perspective of the machine where the parser is located, and other system impacts.</p>
<p>This rule raises an issue when a <code>Transformer</code> is created without either of these settings.</p>
<h2>Noncompliant Code Example</h2>
<pre>
Transformer transformer = TransformerFactory.newInstance().newTransformer();
transformer.transform(input, result);
</pre>
<h2>Compliant Solution</h2>
<p>Recommended:</p>
<pre>
TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

Transformer transformer = factory.newTransformer();

transformer.transform(input, result);
</pre>
<p>Implementation dependent:</p>
<pre>
TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Transformer transformer = factory.newTransformer();

transformer.transform(input, result);
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)">OWASP Top 10 2017 Category A4</a> - XML External Entities
  (XXE) </li>
  <li> <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory">OWASP XXE Cheat
  Sheet</a> </li>
  <li> <a href="http://cwe.mitre.org/data/definitions/611.html">MITRE, CWE-611</a> - Improper Restriction of XML External Entity Reference ('XXE')
  </li>
  <li> Derived from FindSecBugs rule <a href="https://find-sec-bugs.github.io/bugs.htm#XXE_DTD_TRANSFORM_FACTORY">XXE_DTD_TRANSFORM_FACTORY</a> </li>
  <li> Derived from FindSecBugs rule <a href="https://find-sec-bugs.github.io/bugs.htm#XXE_XSLT_TRANSFORM_FACTORY">XXE_XSLT_TRANSFORM_FACTORY</a>
  </li>
</ul>
<h2>Deprecated</h2>
<p>This rule is deprecated; use {rule:java:S2755} instead.</p>

